Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket() The handling of SSL and GSS negotiation messages in ProcessStartupPacket() could cause a recursion of the backend, ultimately crashing the server as the negotiation attempts were not tracked across multiple calls processing startup packets.
A malicious client could therefore alternate rejected SSL and GSS requests indefinitely, each adding a stack frame, until the backend crashed with a stack overflow, taking down a server. This commit addresses this issue by modifying ProcessStartupPacket() so as processed negotiation attempts are tracked, preventing infinite recursive attempts. A TAP test is added to check this problem, where multiple SSL and GSS negotiated attempts are stacked. Reported-by: Calif.io in collaboration with Claude and Anthropic Research Author: Michael Paquier <[email protected]> Reviewed-by: Daniel Gustafsson <[email protected]> Security: CVE-2026-6479 Backpatch-through: 14 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/b63f25bddfebc67b1e78f86341a6aecb0e9fe576 Author: Michael Paquier <[email protected]> Modified Files -------------- src/backend/tcop/backend_startup.c | 25 +++++++++- src/test/postmaster/meson.build | 1 + src/test/postmaster/t/004_negotiate.pl | 83 ++++++++++++++++++++++++++++++++++ 3 files changed, 107 insertions(+), 2 deletions(-)
